Masking the GLP Lattice-Based Signature Scheme at Any Order
Gilles Barthe1, Sonia Bela¨ıd2, omas Espitau3, Pierre-Alain Fouque4, Benjamin Gregoire´ 5, Melissa´ Rossi6,7, and Mehdi Tibouchi8
1 IMDEA Soware Institute [email protected] 2 CryptoExperts [email protected] 3 Sorbonne Universite,´ Laboratoire d’informatique de Paris VI [email protected] 4 Universite´ de Rennes [email protected] 5 Inria Sophia Antipolis [email protected] 6 ales 7 Ecole´ Normale Superieure´ de Paris, Departement´ d’informatique, CNRS, PSL Research University, INRIA [email protected] 8 NTT Secure Platform Laboratories [email protected]
Abstract. Recently, numerous physical aacks have been demonstrated against laice- based schemes, oen exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those aacks is an important problem. However, few counter- measures have been proposed so far. In particular, masking has been applied to the decryp- tion procedure of some laice-based encryption schemes, but the much more dicult case of signatures (which are highly non-linear and typically involve randomness) has not been considered until now. In this paper, we describe the rst masked implementation of a laice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived prob- ability distribution would be prohibitively inecient, we focus on the GLP scheme of Guneysu,¨ Lyubashevsky and Poppelmann¨ (CHES 2012). We show how to provably mask it in the Ishai–Sahai–Wagner model (CRYPTO 2003) at any order in a relatively ecient man- ner, using extensions of the techniques of Coron et al. for converting between arithmetic and Boolean masking. Our proof relies on a mild generalization of probing security that supports the notion of public outputs. We also provide a proof-of-concept implementation to assess the eciency of the proposed countermeasure.
Keywords: Side-channel, Masking, GLP laice-based signature 1 Introduction
As the demands for practical implementations of postquantum cryptographic schemes get more pressing ahead of the NIST postquantum competition and in view of the recommendations of various agencies, understanding the security of those schemes against physical aacks is of paramount importance. Laice-based cryptography, in particular, is an aractive option in the postquantum seing, as it allows to design postquantum implementations of a wide range of primitives with strong security guarantees and a level of eciency comparable to currently de- ployed RSA and elliptic curve-based schemes. However, it poses new sets of challenges as far as side-channels and other physical aacks are concerned. In particular, the reliance on Gaussian distributions, rejection sampling or the number-theoretic transform for polynomial multiplica- tion have been shown to open the door to new types of physical aacks for which it is not always easy to propose ecient countermeasures. e issue has in particular been laid bare in a number of recent works for the case of laice- based signature schemes. Laice-based signature in the random oracle model can be roughly di- vided into two families: on the one hand, constructions following Lyubashevsky’s “Fiat–Shamir with aborts” paradigm [25], and on the other hand, hash-and-sign signatures relying on laice trapdoors, as introduced by Gentry, Peikert and Vaikuntanathan [21]. Aempts have been made to implement schemes from both families, but Fiat–Shamir signatures are more common (al- though their postquantum security is admiedly not as well grounded). e underlying frame- work is called Fiat–Shamir with aborts because, unlike RSA and discrete logarithm-based con- structions, laice-based constructions involve sampling from sets that do not admit a nice al- gebraic structure. A na¨ıve sampling algorithm would leak partial key information, in much the same way as it did in early heuristic schemes like GGH and NTRUSign; this is avoided by forc- ing the output signature to be independent of the secret key using rejection sampling. Many instantiations of the framework have been proposed [25,26,23,17,29], some of them quite e- cient: for example, the BLISS signature scheme [17] boasts performance and key and signature sizes roughly comparable to RSA and ECDSA signatures. However, the picture becomes less rosy once physical aacks are taken into account. For instance, Groot Bruinderink et al. [8] demonstrated a cache aack targeing the Gaussian sam- pling of the randomness used in BLISS signatures, which recovers the entire secret key from the side-channel leakage of a few thousand signature generations. Fault aacks have also been demonstrated on all kinds of laice-based signatures [19,7]. In particular, Espitau et al. recover the full BLISS secret key using a single fault on the generation of the randomness (and present a similarly ecient aack on GPV-style signatures). More recently, ACM CCS 2017 has featured several papers [20,28] exposing further side-channel aacks on BLISS, its variant BLISS–B, and their implementation in the strongSwan VPN soware. ey are based on a range of dierent side channels (cache aacks, simple and correlation electromagnetic analysis, branch tracing, etc.), and some of them target new parts of the signature generation algorithm, such as the rejection sampling. In order to protect against aack such as these, one would like to apply powerful counter- measures like masking. However, doing so eciently on a scheme like BLISS seems hard, as discussed in [20]. Indeed, the sampling of the Gaussian randomness in BLISS signature gener- ation involves either very large lookup tables, which are expensive to mask eciently, or iter- ative approaches that are hard to even implement in constant time–let alone mask. Similarly, the rejection sampling step involves transcendental functions of the secret data that have to be computed to high precision; doing so in masked form seems daunting.
2 However, there exist other laice-based signatures that appear to support side-channel coun- termeasures like masking in a more natural way, because they entirely avoid Gaussians and other contrived distributions. Both the sampling of the randomness and the rejection sampling of signatures target uniform distributions in contiguous intervals. Examples of such schemes include the GLP scheme of Guneysu,¨ Lyubashevsky and Poppelmann¨ [23], which can be seen as the ancestor of BLISS, and later variants like the Dilithium scheme of Ducas et al. [18] (but not Dilithium-G). In this paper, we show how to eciently mask the GLP scheme at any masking order, so as to achieve security against power analysis and related aacks (both simple power analysis and higher-order aacks like dierential/correlation power analysis). is is to the best of our knowledge the rst time a masking countermeasure has been applied to protect laice-based signatures.
Related work. Masking is a well-known technique introduced by Chari, Rao and Rohatgi at CHES 2002 [9] and essentially consists in spliing a secret value into d + 1 ones (d is thus the masking order), using a secret sharing scheme. is will force the adversary to read many in- ternal variables if he wants to recover the secret value, and he will gain no information if he observes fewer than d values. e advantage of this spliing is that linear operations cost noth- ing, but the downside is that non-linear operations (such as the AES S-box) can become quite expensive. Later, Ishai, Sahai and Wagner [24] developed a technique to prove the security of masking schemes in the threshold probing model (ISW), in which the adversary can read o at most d wires in a circuit. Recently, Duc, Dziembowski and Faust [16] proved the equivalence between this threshold model and the more realistic noisy model, in which the adversary ac- quires leakage on all variables, but that leakage is perturbed with some noise distribution, as is the case in practical side-channel aacks. Since the ISW model is much more convenient for designing and proving masking countermeasures, it is thus preferred, as the equivalence results of Duc et al. ultimately ensure that a secure implementation in the ISW model at a suciently high masking order is going to be secure against practical side-channel aacks up to a given signal-to-noise ratio. Masking has been applied to laice-based encryption schemes before [31,30]. However, in these schemes, only the decryption procedure needs to be protected, and it usually boils down to computing a scalar product between the secret key and the ciphertext (which is a linear operation in the secret data) followed by a comparison (which is non-linear, but not very dicult to mask). Oder et al. [27] point out a number of issues with those masked decryption algorithms, and describe another one, for a CCA2-secure version of Ring-LWE public-key encryption.
Our results. Masking laice-based signatures, even in the comparatively simple case of GLP, turns out to be surprisingly dicult—possibly more so than any of the previous masking coun- termeasures considered so far in the literature. e probabilistic nature of signature generation, as well as its reliance on rejection sampling, present challenges (both in terms of design and of proof techniques) that had not occurred in earlier schemes, most of them deterministic. In addi- tion, for performance reasons, we are led to require a stronger security property of the original, unprotected signature scheme itself, which we have to establish separately. More precisely, the following issues arise.
Conversion between Boolean and mod-p arithmetic masking. Most steps of the signing algorithm n involve linear operations on polynomials in the ring R = Zp[x]/(x + 1). ey can thus be
3 masked very cheaply using mod-p arithmetic masking: each coecient is represented as a sum of d + 1 additive shares modulo p. For some operations, however, this representation is less convenient. is is in particular the case for the generation of the randomness at the beginning of the algorithm, which consists of two polynomials y1, y2 with uniformly random coecients in a subinterval [−k, k] of Zp. Generating such a random value in masked form is relatively easy with Boolean masking, but seems hard to do eciently with arithmetic masking. erefore, we have to carry out a conversion from Boolean masking to mod-p arithmetic masking. Such conversions have been described before [15,13], but only when the modulus p was a power of 2. Adapting them to our seings requires some tweaks. Similarly, the rejection sampling step amounts to checking whether the polynomials in the signature have their coecients in another interval [−k0, k0]. Carrying out the corresponding comparison is again more convenient with Boolean masking, and hence we need a conversion algorithm in the other direction, from mod-p arithmetic masking to Boolean masking. We are again led to adapt earlier works on arithmetic-to-Boolean masking conversion [15,14] to the case of a non-prime modulus.
Security of the signature scheme when revealing the “commitment” value. One of the operations in signature generation is the computation of a hash function mapping to polynomials in R of a very special shape. Masking the computation of this hash function would be highly inecient and dicult to combine with the rest of the algorithm. Indeed, the issue with hashing is not obtaining a masked bit string (which could be done with something like SHA-3), but expanding that bit string into a random-looking polynomial c of xed, low Hamming weight in masked form. e corresponding operation is really hard to write down as a circuit. Moreover, even if that could be done, it would be terrible for performances because subsequent multiplications by c are no longer products by a known sparse constant, but full-blown ring operations that have to be fully masked. But more importantly, this masking should intuitively be unnecessary. Indeed, when we see the signature scheme as the conversion of an identication protocol under the Fiat–Shamir transform, the hash function computation corresponds to the verier’s sampling of a random challenge c aer it receives the commitment value r from the prover. In particular, the verier always learns the commitment value r (corresponding to the input of the hash function), so if the identication protocol is “secure”, one should always be able to reveal this value without compromising security. But the security of the signature scheme only oers weak guarantees on the security of the underlying identication protocol, as discussed by Abdalla et al. [1]. In usual Fiat–Shamir signatures, this is never an issue because the commitment value can always be publicly derived from the signature (as it is necessary for signature verication). How- ever, things are more subtle in the Fiat–Shamir with aborts paradigm, since the value r is not normally revealed in executions of the signing algorithm that do not pass the rejection sampling step. In our seing, though, we would like to unmask the value to compute the hash function in all cases, before knowing whether the rejection sampling step will be successful. If we do so, the side-channel aacker can thus learn the pair (r, c) corresponding to rejected executions as well, and this is not covered by the original security proof, nor does security with this additional leakage look reducible to the original security assumption. However, it is heuristically a hard problem to distinguish those pairs from uniform (an LWE- like problem with a rather unusual distribution), so one possible approach, which requires no change at all to the algorithm itself, is to redo the security proof with an additional, ad hoc
4 hardness assumption. is is the main approach that we suggest in this paper. Although heuris- tically safe, it is rather unsatisfactory from a theoretical standpoint, so we additionally propose another approach:9 compute the hash function not in terms of r itself, but of f(r) where f is a statistically-hiding commitment scheme whose opening information is added to actual signa- tures, but not revealed in executions of the algorithm that do not pass the rejection sampling. Using a suitable f, f(r) can be eciently computed in masked form, and only the result needs to be unmasked. It is then clear that the leakage of f(r), c is innocuous, and the modied scheme can be proved entirely with no additional hardness assumption. e downside of this approach is of course that the commitment key increases the size of the public key, the opening information increases the size of signatures, and the masked computation of the commitment itself takes a not insignicant amount of time. For practical purposes, we therefore recommend the heuristic approach.
Security of masking schemes with output-dependent probes. In order to prove the security of our masked implementation we see that we reveal some public value r or a commitment of it. Consequently, we must adapt the notion of security from the threshold probing model to account for public outputs; the idea here is not to state that public outputs do not leak relevant information, but rather that the masked implementation does not leak more information than the one that is released through public outputs. We capture this intuition by leing the simulator depend on the distribution of the public outputs. is extends the usual “non-interference” (NI) security notion to a new, more general notion of “non-interference with public outputs” (NIo).
Security proofs. e overall security guarantee for the masked implementation is established by proving the security of individual gadgets and asserting the security of their combination. For some gadgets, one establishes security in the usual threshold probing model, opening the pos- sibility to resort to automated tools such as maskComp [4] to generate provably secure masked implementations. For other gadgets, the proofs of security are given by exhibiting a simulator, and checking its correctness manually. Finally, the main theorem is deduced from the proof of correctness and security in the threshold probing model with public outputs for the masked implementation, and from a modied proof of security for the GLP scheme.
Organization of the paper. In §2, we describe the GLP signature scheme and the security assumption on which its security is based. In §3, we present the new security notions used in our proofs. en, in §4, we describe how to mask the GLP algorithm at any masking order. Finally, in §5, we describe an implementation of this masking countermeasure, and suggest some possible eciency improvements.
2 e GLP signature scheme
2.1 Parameters and security Notations. roughout this paper, we will use the following notations: n is a power of 2, p is a prime number congruent to 1 modulo 2n, R is the polynomial ring modulo xn + 1, n R = Zp[x]/(x + 1). e elements of R can be represented by polynomials of degree n − 1 p−1 p−1 with coecients in the range [− 2 , 2 ]. For an integer k such that 0 < k ≤ (p − 1)/2, we 9 We are indebted to Vadim Lyubashevsky for suggesting this approach.
5 $ denote by Rk the elements of R with coecients in the range [−k, k]. We write ←− S for picking $ uniformly at random in a set S or ←−D for picking according to some distribution D. e key generation algorithm for the GLP signature scheme is as follows:
Algorithm 1: GLP key derivation Result: Signing key sk, verication key pk $ 1 s1, s2 ←−R1 //s1 and s2 have coecients in {−1, 0, 1} $ 2 a ←−R 3 t ← as1 + s2 4 sk ← (s1, s2) 5 pk ← (a, t) Given the verication key pk = (a, t), if an aacker can derive the signing key, he can be used to also solve a DCKp,n problem dened in [23].
Denition 1 e DCKp,n problem (Decisional Compact Knapsack problem) is the problem of distinguishing between the uniform distribution over R×R and the distribution (a, as1 +s2) with s1,s2 uniformly random in R1.
In the security proof of our variant of the signature scheme, we introduce a new computa- tional problem.
Denition 2 e R-DCKp,n problem (Rejected-Decisional Compact Knapsack problem) is the n problem of distinguishing between the uniform distribution over R × R × Dα and the distribution n 2 (a, ay1 + y2, c) where (a, c, y1, y2) is uniformly sampled in R × Dα × Rk, conditioned by the event s1c + y1 ∈/ Rk−α or s2c + y2 ∈/ Rk−α.
As shown in Appendix A.3, assuming the hardness of R-DCKp,n can be avoided entirely by computing the hash value c not in terms of r = ay1 + y2, but of a statistically hiding commitment thereof. is approach shows that masking can be done based on the exact same assumptions as the original scheme, but at some non-negligible cost in eciency. To obtain a scheme that more directly follows the original one and to keep the overhead reasonable, we propose to use R-DCKp,n as an extra assumption, which we view as a prag- matic compromise. e assumption is admiedly somewhat articial, but the same can be said of DCKp,n itself to begin with, and heuristically, R-DCKp,n is similar, except that it removes smaller (hence “easier”) instances from the distribution: one expects that this makes distinguish- ing harder, even though one cannot really write down a reduction to formalize that intuition.
2.2 e signature scheme is part describes the signature scheme introduced in [23]. Additional functions like transform and compress introduced in [23] can be used to shorten the size of the signatures. Note however that for masking purposes, we only need to consider the original, non-compressed algorithm of Guneysu¨ et al., which we describe below. Indeed, signature compression does not aect our masking technique at all, because it only involves unmasked parts of the signature generation algorithm (the input of the hash function and the returned signature itself). As a result, although this paper only discusses the non-compressed scheme, we can directly apply our technique to
6 the compressed GLP scheme with no change, and in fact this is what our proof-of-concept im- plementation in section5 actually does. ∗ n e signature scheme needs a particular cryptographic hash function, H : {0, 1} → Dα, n where Dα is the set of polynomials in R that have all zero coecients except for at most α = 32 coecients that are in {−1, +1} (or α = 16 when using the updated parameters presented in [10]). Let k be a security parameter. Algorithms2 and3 respectively describe the GLP signature and verication. Here is the soundness equation for the verication : az1 + z2 − tc = ay1 + y2.
e parameter k controls the trade-o between the security and the runtime of the scheme. e smaller k gets, the more secure the scheme becomes and the shorter the signatures get but the time to sign will increase. e authors of the implementation of [23] suggest k = 214, n = 512 and p = 8383489 for ≈ 100 bits of security and k = 215, n = 1024 and p = 16760833 for > 256 bits of security.
2.3 Security proof of the r-GLP variant As mentioned above, masking the hash function of the GLP signature directly has a prohibitive cost, and it is thus preferable to unmask the input r = ay1 + y2 to compute the hash value c = H(r, m). Doing so allows a side-channel aacker to learn the pair (r, c) corresponding to rejected executions as well, and since that additional information is not available to the adver- sary in the original seing, we need to show that it does not aect the security of the scheme. is stronger security requirement can be modeled as the unforgeability under chosen mes- sage aacks of a modied version of the GLP signature scheme in which the pair (r, c) is made public when a rejection occurs. We call this modied scheme r-GLP, and describe it as Algo- rithm4. e modication means that, in the EUF-CMA security game, the adversary gets access not only to correctly generated GLP signatures, but also to pairs (r, c) when rejection occurs, which is exactly the seing that arises as a result of unmasking the value r. e following the- orem, proved in the Appendix A.2, states that the modied scheme is indeed secure, at least if we are willing to assume the hardness of the additional DCKp,n assumption.
n eorem 1. Let n, p, R and Dα as dened in section 2.1. Assuming the hardness of the DCKp,n and R-DCKp,n problems, the signature r-GLP is EUF-CMA secure in the random oracle model.
Algorithm 2: GLP signature Algorithm 3: GLP verication Data: m, pk, sk Data: m, σ, pk Result: Signature σ 1 if z1, z2 ∈ Rk−α and $ c = H(az + z − tc, m) 1 y1, y2 ←−Rk 1 2 then 2 accept 2 c ← H(r = ay1 + y2, m) 3 3 z1 ← s1c + y1 else 4 reject 4 z2 ← s2c + y2 5 5 if z1 or z2 ∈/ Rk−α then end 6 restart 7 end 8 return σ = (z1, z2, c)
7 Algorithm 4: Tweaked signature with public r Data: m, pk = (a, t), sk = (s1, s2) Result: Signature σ $ 1 y1 ←−Rk $ 2 y2 ←−Rk 3 r ← ay1 + y2 4 c ← H(r, m) 5 z1 ← s1c + y1 6 z2 ← s2c + y2 7 if z1 or z2 ∈/ Rk−α then 8 (z1, z2) ← (⊥, ⊥) 9 end 10 return σ = (z1, z2, c, r)
Remark 1. As mentioned previously, we can avoid the non-standard assumption R-DCKp,n by hashing not r but f(r) for some statistically hiding commitment f (which can itself be con- structed under DCKp,n, or standard laice assumptions). See the Appendix A.2 of this paper for details . e downside of that approach is that it has a non negligible overhead in terms of key size, signature size, and to a lesser extent signature generation time.
3 reshold probing model with public outputs
In this section, we briey review the denition of the threshold probing model, and introduce an extension to accommodate public outputs.
3.1 reshold probing model e threshold probing model introduced by Ishai, Sahai and Wagner considers implementations that operate over shared values [24]. Denition 3 Let d be a masking order. A shared value is a (d + 1)-tuple of values, typically integers or Booleans. A (u, v)-gadget is a probabilistic algorithm that takes as inputs u shared values, and returns distributions over v-tuples of shared values. (u, v)-gadgets are typically used to implement functions that take u inputs and produce v outputs. Gadgets are typically wrien in pseudo-code, and induce a mapping from u-tuples of shared val- ues (or equivalently u(d + 1)-tuples of values) to a distribution over v-tuples of values, where the output tuple represents the joint distribution of the output shared values as well as all inter- mediate values computed during the execution of the gadget. We now turn to the denition of probing security. Informally, an implementation is d-probing secure if and only if an adversary that can observe at most d intermediate values cannot recover information on secret inputs. Denition 4 d-non-interference (d-NI): A gadget is d-non-interfering if and only if every set of at most d intermediate variables can be perfectly simulated with at most d shares of each input.
8 Denition 5 d-strong-non-interference (d-SNI): A gadget is d-strongly non interfering if and only if every set of size d0 ≤ d containing d1 intermediate variables and d2 = d0 − d1 returned values can be perfectly simulated with at most d1 shares of each input.
is notion of security is formulated in a simulation-based style. It is however possible to pro- vide an equivalent notion as an information ow property in the style of programming language security and recent work on formal methods for proving security of masked implementations.
e maskComp tool. For certain composition proofs, we will use the maskComp tool from Barthe et al. [4]. It uses a type-based information ow analysis with cardinality constraints and ensures that the composition of gadgets is d-NI secure at arbitrary orders, by inserting refresh gadgets when required.
3.2 reshold probing model with public outputs
e security analysis of our masked implementation of GLP requires an adaptation of the stan- dard notion of security in the threshold probing model. Specically, our implementation does not aempt to mask the computation of H(r, m) at line 2 of Algorithm2; instead, it recovers r from its shares and then computes H(r, m). is optimization is important for the eciency of the masked algorithm, in particular because it is not immediately clear whether one can mask the hash function H eciently—note that this kind of optimization is also reminiscent of the method used to achieve ecient sorting algorithms in multi-party computations. From a security perspective, recombining r in the algorithm is equivalent to making r a public output. In contrast with “return values”, we will refer to “outputs” as values broadcast on a public channel during the execution of the masked algorithm. e side-channel aacker can therefore use outputs in aacks. Since the usual notions of NI and SNI security do not account for outputs in that sense, we need to extend those notions of security to support algorithms that provide such outputs. e idea here is not to state that public outputs do not leak relevant information, but rather that the masked implementation does not leak more information than the one that is released through public outputs. We capture this intuition by leing the simulator depend on the distribution of the public outputs.
Denition 6 A gadget with public outputs is a gadget together with a distinguished subset of intermediate variables whose values are broadcast during execution.
We now turn to the denition of probing security for gadgets with public outputs.
Denition 7 d-non-interference for gadgets with public outputs(d-NIo): A gadget with public outputs X is d-NIo if and only if every set of at most d intermediate variables can be perfectly simulated with the public outputs and at most d shares of each input.
Again, it is possible to provide an equivalent notion as an information ow property in the style of programming language security. Note that the use of public outputs induces a weaker notion of security.
Lemma 1. Let G be a d-NI-gadget. en G is d-NIo secure for every subset X of intermediate variables.
9 Informally, the lemma states that a gadget that does not leak any information also does not leak more information than the one revealed by a subset of its intermediate variables. e lemma is useful to resort to automated tools for proving NI security of some gadgets used in the masked implementations of GLP. In particular, we will use the maskComp tool. Since d-NIo security is weaker than d-NI security, we must justify that it delivers the re- quired security guarantee. is is achieved by combining the proofs of security for the modied version of GLP with public outputs, and the proofs of correctness and security for the masked implementations of GLP.
3.3 EUF-CMA-security in the d probing model GLP is claimed EUF-CMA (existential unforgeablitiy under chosen message aack). It is thus relevant to consider several accesses to the signing oracle for the masked algorithm. e fol- lowing denition introduces a notion that combines the EUF-CMA security property and the security in the ISW model.
Denition 1. A signature scheme (KeyGen, Sign, Verify) with signing key update algorithm KeyUpdate is EUF-CMA-secure in the d-probing model if any PPT adversary has a negligible probability of win- ning in the following game.
Adversary Challenger (KeyGen,Sign,Verify,KeyUpdate) ←−−−−−−−−−−−−−−−−−− O −−−−→KeyGen pk, LKeyGen λ ←−−−−−− (sk, pk), LKeyGen ← ExecObs(OKeyGen, KeyGen, 1 ) (1) m(1), O −−−−−−−→Sign σ(1), (1) ← ExecObs( (1) , Sign, , m(1)) LSign OSign sk (1) (1) σ , LSign ←−−−−−− ← KeyUpdate( ) sk sk . q queries . (q) (q) m , OSign −−−−−−−→ (q) (q) (q) (q) σ , L ← ExecObs(O , Sign, sk, m ) Sign Sign σ(q), (q) LSign ←−−−−−− sk ← KeyUpdate(sk) m∗, σ∗ forgery −−−−→ b ← Verify(pk, m∗, σ∗) ∧ (m∗ ∈/ {m(1), . . . , m(q)})∧ (i) ∧|OKeyGen| ≤ d ∧ ∀i ∈ {1, . . . , q}, |OSign| ≤ d
Fig. 1. d probing EUF-CMA game. ExecObs is a universal Turing machine that takes as input a series of observations, an algorithm and several possible arguments, and returns the output of the algorithm on those arguments, together with the leakage values corresponding to the desired observations.
10 Remark 2. Denition1 assumes that the aacker do not get any leakage during the KeyUpdate. In this model, the KeyUpdate is not part of the signing procedure. Another denition could assume that the aacker also gets leakage during the KeyUpdate. In this alternative denition, the total number of observations should be bounded by d. In other words, instead of the condition (i) P (i) ∀i ∈ {1, . . . , q}, |OSign| ≤ d, one should have i∈{1,...,q} |OSign| ≤ d.
4 Masked algorithm
In this section, the whole GLP scheme is turned into a functionally equivalent scheme secure in the d-probing model with public outputs. Note that it suces to mask the key derivation in the d-probing model and the signature in the d-probing model with public output r, since the verication step does not manipulate sensitive data.
Remark 3. e masked version of GLP scheme with commitment has also been turned into a functionally equivalent scheme proved secure in the d-probing model with public output r. Its masked version is a lile more complex, it is detailed in the AppendixB.
4.1 Overall structure For simplicity, we will show the masking on a single iteration version of the signature. e masking can be generalized by calling the masked signature again if it fails. To ensure protection against d-th order aacks, we suggest a masking countermeasure with d+1 shares for the following sensitive data : y1, y2, s1 and s2. All the public variables are (a, t) (i.e., the public key), m (i.e., the message), RejSp (i.e., the bit corresponding to the success of the rejection sampling), (z1, z2, c) (i.e., the signature). As mentioned before, because of the need of r recombination, even if r is an intermediate value, it is considered as a public output. Most operations carried out in the GLP signing algorithm are arithmetic operations modulo p, so we would like to use arithmetic masking. It means for example that y1 will be replaced by y1,0, ...y1,d ∈ R such that y1 = y1,0 + ... + y1,d mod p. e issue is that at some points of the algorithm, we need to perform operations that are beer expressed using Boolean masking. ose parts will be extracted from both the key derivation
a (s1,i)0≤i≤d
DG (s1,i)0≤i≤d (ti)0≤i≤d t H1 FullAdd
(s2,i)0≤i≤d DG
(s2,i)0≤i≤d
Fig. 2. Composition of mKD (e blue gadgets will be proved d-NIo, the white ones will be proved d-NI)
11 (s1,i)0≤i≤d (y1,i)0≤i≤d a (z1,i)0≤i≤d m
(z1,i)0≤i≤d z1 H1 H2 FullAdd DG (y1,i)0≤i≤d (z1,i)0≤i≤d (ri)0≤i≤d r c 1 Hash RS H FullAdd RejSp
(y2,i)0≤i≤d (z2,i)0≤i≤d DG (z2,i)0≤i≤d z2 H1 H2 FullAdd
(z2,i)0≤i≤d
(y2,i)0≤i≤d (s2,i)0≤i≤d c
Fig. 3. Composition of mSign (e blue gadgets will be proved d-NIo, the white ones will be proved d-NI and the red one won’t be protected) and the signature to be protected individually and then securely composed. e dierent new blocks to achieve protection against d-th order aacks are depicted hereaer and represented in Figures2 and3:
– Generation of the shared data (DG), masked version of line 1 in Algorithm2 and line 1 in Algorithm1, is a function to generate shares of y1, y2, s1 and s2. It will be described in Algorithm7, decomposed and proved d-NIo secure by decomposition. – Rejection Sampling (RS), masked version of line 5 in Algorithm2, is a test to determine if z1 and z2 belong to the set Rk−α. It will be detailed in Algorithm 16 and proved d-NI secure by decomposition. – Refresh and unmask (FullAdd) is a function that unmasks securely a variable by adding to- gether its shares modulo p without leaking the partial sums. It will be described in Algorithm 17 and proved d-NIo secure and d-NI secure when used at the end. – H1 and H2 are the elementary parts, masked versions of line 2, 3-4 and then 5-6 in Algo- rithm2. H1 is also the masked version of the instruction called in line 3 of the key derivation algorithm (Algorithm1). ey are made of arithmetic computations. ey are depicted in Algorithm 18 and 19. ey will be proved d-NI secure. – Hash function, line 2 in Algorithm2. As mentioned before, is le unmasked because it ma- nipulates only public data.
Algorithm5 shows a high level picture of mSign with all these blocks and Algorithm6 shows mKD.
e proofs of dNI or d-NIo security will be given in the following subsection. en, the composition will be proved in Section 4.3 to achieve global security in the d-probing model with public outputs. is yields the d-NIo security of the masked signature and masked key generation algorithms in eorems2 and3, respectively. By combining these results with the rened analysis of the GLP signature in eorem1, one obtains the desired security guarantee, as discussed in Section3.
12 Algorithm 5: mSign Data: m, pk = (a, t), sk = ((s1,i)0≤i≤d, (s2,i)0≤i≤d) Result: Signature σ 1 (y1,i)0≤i≤d ← DG(k, d) 2 (y2,i)0≤i≤d ← DG(k, d) 1 3 (ri)0≤i≤d ← H (a, (y1,i)0≤i≤d, (y2,i)0≤i≤d) 4 r ← FullAdd((ri)0≤i≤d) 5 c ← hash(r, m) 1 6 (z1,i)0≤i≤d ←H (c, (s1,i)0≤i≤d, (y1,i)0≤i≤d) 1 7 (z2,i)0≤i≤d ←H (c, (s2,i)0≤i≤d, (y2,i)0≤i≤d) 8 RejSp ← RS((z1,i)0≤i≤d, (z2,i)0≤i≤d, k − α) 2 9 (z1,i)0≤i≤d ← H (RejSp, (z1,i)0≤i≤d) 2 10 (z2,i)0≤i≤d ← H (RejSp, (z2,i)0≤i≤d) 11 z1 ←FullAdd((z1,i)0≤i≤d) 12 z2 ←FullAdd((z2,i)0≤i≤d) 13 return σ = (z1, z2, c)
Algorithm 6: mKD Result: Signing key sk, verication key pk 1 (s1,i)0≤i≤d ← DG(1, d) 2 (s2,i)0≤i≤d ← DG(1, d) $ 3 a ←−R 1 4 (ti)0≤i≤d ← H (a, (s1,i)0≤i≤d, (s2,i)0≤i≤d) 5 t ← FullAdd((ti)0≤i≤d) 6 sk ← ((s1,i)0≤i≤d, (s2,i)0≤i≤d) 7 pk ← (a, t) 8 return as public key (a, t) 9 return as secret key ((s1,i)0≤i≤d, (s2,i)0≤i≤d)
4.2 Masked gadgets In this section each gadget will be described and proved d-NI or d-NIo secure. e diculty is located in the gadgets containing Boolean/arithmetic conversions. In those gadgets (DG and RS) a detailed motivation and description has been made.
Data generation (DG). In the unmasked GLP signing algorithm, the coecients of the “com- mitment” polynomials y1, y2 are sampled uniformly and independently from an integer interval of the form [−k, k]. In order to mask the signing algorithm, one would like to obtain those val- ues in masked form, using order-d arithmetic masking modulo p. Note that since all of these coecients are completely independent, the problem reduces to obtaining an order-d mod-p arithmetic masking of a single random integer in [−k, k]. Accordingly, we will rst create an algorithm called Random Generation (RG) which gener- ates an order-d mod-p arithmetic masking of a single random integer in [−k, k]. Next, we will use RG in an algorithm called Data Generation (DG) which generates a sharing of a value in Rk.
13 Algorithm 7: Data Generation (DG) Data: k and d Result: A uniformly random polynomial y in Rk in arithmetic masked form (yi)0≤i≤d. d 1 (yi)0≤i≤d ← {0} 2 for j = 0 to n − 1 do 3 (ai)0≤i≤d ← RG(k, d) j 4 (yi)0≤i≤d ← (yi + aix )0≤i≤d 5 end 6 return (yi)0≤i≤d
DG is calling RG n times and is described in Algorithm7. RG is described hereaer and will be given in Algorithm 15. Let us now build RG. Carrying out this masked random sampling in arithmetic form di- rectly and securely seems dicult. On the other hand, it is relatively easy to generate a Boolean masking of such a uniformly random value. We can then convert that Boolean masking to an arithmetic masking using Coron et al.’s higher-order Boolean-to-arithmetic masking conver- sion technique [15]. e technique has to be modied slightly to account for the fact that the modulus p of the arithmetic masking is not a power of two, but the overall structure of the al- gorithm remains the same. To obtain a beer complexity, we also use the Kogge–Stone adder based addition circuit already considered in [14]. A more precise description of our approach is as follows. Let K = 2k + 1, and w0 be the smallest integer such that 2w0 > K. Denote also by w the bit size of the Boolean masking we w are going to use; we should have w > w0 + 1 and 2 > 2p. For GLP masking, a natural choice, particularly on a 32-bit architecture, would be w = 32. 0 Now the rst step of the algorithm is to generate w0-bit values (xi )0≤i≤d uniformly and independently at random, and apply a multiplication-based share refreshing algorithm Refresh, as given in Algorithm8, to obtain a fresh w-bit Boolean masking (xi)0≤i≤d of the same value x: d d M 0 M x = xi = xi. i=0 i=0
Note that x is then a uniform integer in [0, 2w0 − 1]. We then carry out a rejection sampling on x: if x ≥ K, we restart the algorithm. If this step is passed successfully, x will thus be uniformly distributed in [0,K − 1] = [0, 2k]. Of course, the test has to be carried out securely at order d. is can be done as follows: com- pute a random w-bit Boolean masking (ki)0≤i≤d of the constant (−K) (the two’s complement of K over w bits; equivalently, one can use 2w − K), and carry out the d-order secure ad- dition SecAdd (xi)0≤i≤d, (ki)0≤i≤d , given in Algorithm9 (where Refresh denotes the d-SNI multiplication-based refresh as proven in [4] and recalled in Algorithm8). e result is a Boolean masking (δi)0≤i≤d of the dierence δ = x − K in two’s complement form. In particular, the most signicant bit b of δ is 0 if and only if x ≥ K. Since computing the most signicant bit is an F2-linear operation, we can carry it out componentwise to obtain a masking (bi)0≤i≤d of b with bi = δi (w − 1). e resulting bit b is non-sensitive, so we can unmask it to check whether to carry out the rejection sampling.
14 Algorithm 8: Multiplication-based refresh algorithm for Boolean masking (Refresh) Data: A Boolean masking (xi)0≤i≤d of some value x; the bit size w of the returned masks 0 Result: An independent Boolean masking (xi)0≤i≤d of x 0 1 (xi)0≤i≤d ← (xi)0≤i≤d 2 for i = 0 to d do 3 for j = i + 1 to d do 4 pick a uniformly random w-bit value r 0 0 5 xi ← xi ⊕ r 0 0 6 xj ← xj ⊕ r 7 end 8 end 0 9 return (xi)0≤i≤d
Algorithm 9: Integer addition of Boolean maskings (SecAdd), as generated by the maskComp tool from the Kogge–Stone adder of [14]
Data: Boolean maskings (xi)0≤i≤d, (yi)0≤i≤d of integers x, y; the bit size w of the masks Result: A Boolean masking (zi)0≤i≤d of x + y 1 (pi)0≤i≤d ← (xi ⊕ yi)0≤i≤d 2 (gi)0≤i≤d ← SecAnd (xi)0≤i≤d, (yi)0≤i≤d, w 3 for j = 1 to W := dlog2(w − 1)e − 1 do j−1 4 pow ← 2 5 (ai)0≤i≤d ← (gi pow)0≤i≤d 6 (ai)0≤i≤d ← SecAnd (ai)0≤i≤d, (pi)0≤i≤d, w 7 (gi)0≤i≤d ← (gi ⊕ ai)0≤i≤d 0 8 (ai)0≤i≤d ← (pi pow)0≤i≤d 0 0 9 (ai)0≤i≤d ← Refresh (ai)0≤i≤d, w 0 10 (pi)0≤i≤d ← SecAnd (pi)0≤i≤d, (ai)0≤i≤d, w 11 end W 12 (ai)0≤i≤d ← (gi 2 )0≤i≤d 13 (ai)0≤i≤d ← SecAnd (ai)0≤i≤d, (pi)0≤i≤d, w 14 (gi)0≤i≤d ← (gi ⊕ ai)0≤i≤d 15 (zi)0≤i≤d ← xi ⊕ yi ⊕ (gi 1) 0≤i≤d 16 return (zi)0≤i≤d
15 Algorithm 10: Mod-p addition of Boolean maskings (SecAddModp) Data: Boolean maskings (xi)0≤i≤d, (yi)0≤i≤d of integers x, y; the bit size w of the masks (with 2w > 2p) Result: A Boolean masking (zi)0≤i≤d of x + y mod p w 1 (pi)0≤i≤d ← 2 − p, 0,..., 0 2 (si)0≤i≤d ← SecAdd (xi)0≤i≤d, (yi)0≤i≤d, w 0 3 (si)0≤i≤d ← SecAdd (si)0≤i≤d, (pi)0≤i≤d, w 0 4 (bi)0≤i≤d ← si (w − 1) 0≤i≤d 5 (ci)0≤i≤d ← Refresh (bi)0≤i≤d, w 6 (zi)0≤i≤d ← SecAnd (si)0≤i≤d, (ci)0≤i≤d, w e 7 (ci)0≤i≤d ← Refresh (bi)0≤i≤d, w 0 8 (zi)0≤i≤d ← (zi)0≤i≤d ⊕ SecAnd (si)0≤i≤d, (¬fci)0≤i≤d, w 9 return (zi)0≤i≤d
Aer carrying out these steps, we have obtained a Boolean masking of a uniformly random integer in [0, 2k]. What we want is a mod-p arithmetic masking of a uniformly random integer in the interval [−k, k], which is of the same length as [0, 2k]. If we can convert the Boolean masking to an arithmetic masking, it then suces to subtract k from one of the shares and we obtain the desired result. To carry out the Boolean-to-arithmetic conversion itself, we essentially follow the approach of [15, §5], with a few changes to account for the fact that p is not a power of two. e main change is that we need an algorithm for the secure addition modulo p of two val- ues y, z in Boolean masked form (yi)0≤i≤d, (zi)0≤i≤d (assuming that y, z ∈ [0, p)). Such an algorithm SecAddModp is easy to construct from SecAdd (see Algorithm 10 with SecAnd the d-order secure bitwise AND operation from [24,32] and recalled in Algorithm 11) and the com- parison trick described earlier. More precisely, the approach is to rst compute (si)0≤i≤d = SecAdd (yi)0≤i≤d, (zi)0≤i≤d , which is a Boolean sharing of the sum s = y + z without mod- 0 ular reduction, and then (si)0≤i≤d = SecAdd (si)0≤i≤d, (pi)0≤i≤d for a Boolean masking w (pi)0≤i≤d of the value −p in two’s complement form (or equivalently 2 − p). e result is a masking of s0 = s − p in two’s complement form. In particular, we have s ≥ p if and only if the most signicant bit b of s0 is 0. Denote by r the desired modular addition y + z mod p. We thus have: ( s if b = 1; r = s0 if b = 0. As a result, we can obtain the masking of r in a secure way as: